def hyuga_co():
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_api = "http://api.hyuga.co/v1/users"
hyuga_host = globals.get_value("hyuga_domain")
hyuga_token = globals.get_value("hyuga_token")
try:
if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token
if r"xxxxxx" in hyuga_token:
dns = requests.post(hyuga_api,
headers=headers_hyuga,
timeout=timeout,
verify=False)
hyuga_host = json.loads(dns.text)["data"]["identity"]
dns_host = random_md5() + "." + str(hyuga_host)
hyuga_token = json.loads(dns.text)["data"]["token"]
globals.set_value("hyuga_token", hyuga_token)
globals.set_value("hyuga_domain", hyuga_host)
return dns_host
else:
return "bug"
else:
dns_host = random_md5() + "." + hyuga_host
return dns_host
except Exception as e:
pass
def dnslog_cn():
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
d_p = globals.get_value("DNS_DNSLOG_HOST")
try:
if d_p is None:
dns = requests.get(dnslog_api,
headers=headers_dnslog,
timeout=timeout,
verify=False)
dns_host = random_md5() + "." + dns.text
globals.set_value("DNS_DNSLOG_HOST", dns.text)
return dns_host
else:
dns_host = random_md5() + "." + globals.get_value(
"DNS_DNSLOG_HOST")
return dns_host
except Exception:
return "error"
def dismap(line):
if "dismap" in line:
print(
now.timed(de=0) + color.yel_info() +
color.green(" The file is dismap Identification results"))
globals.set_value("DISMAP", "true")
return "######"
elif "######" in line:
return "######"
if globals.get_value("DISMAP") == "true":
try:
search = re.findall("[{] (.*?) [}]", line)
return search[0]
except:
return
else:
return line
def config():
header = {
'Accept':
'application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, '
'application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*',
'User-agent':
args.ua,
'Content-Type':
'application/x-www-form-urlencoded',
'Connection':
'close'
}
globals.init() # 初始化全局变量模块
globals.set_value("UA", args.ua) # 设置全局变量UA
globals.set_value("VUL", None) # 设置全局变量VULN用于判断是否漏洞利用模式
globals.set_value("CHECK", args.check) # 目标存活检测
globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG
globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY
globals.set_value("DNSLOG", args.dnslog) # 用于判断使用哪个dnslog平台
globals.set_value("DISMAP", "flase") # 是否接收dismap识别结果(false/true)
globals.set_value("VULMAP", str(0.9)) # 设置全局变量程序版本号
globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT
globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON
globals.set_value("HEADERS", header) # 设置全局变量HEADERS
globals.set_value("TIMEOUT", args.TIMEOUT) # 设置全局变量超时时间TOMEOUT
globals.set_value("THREADNUM", args.thread_num) # 设置全局变量THREADNUM传递线程数量
# 替换自己的 ceye.io 的域名和 token
globals.set_value("ceye_domain", "xxxxxxxxxx")
globals.set_value("ceye_token", "xxxxxxxxxx")
# 替换自己的 http://hyuga.co 的域名和 token
# hyuga的域名和token可写可不写,如果不写则自动获得
globals.set_value("hyuga_domain", "xxxxxxxxxx")
globals.set_value("hyuga_token", "xxxxxxxxxx")
# fofa 邮箱和 key,需要手动修改为自己的
globals.set_value("fofa_email", "xxxxxxxxxx")
globals.set_value("fofa_key", "xxxxxxxxxx")
# shodan key
globals.set_value("shodan_key", "xxxxxxxxxx")
def control_options(args): # 选项控制,用于处理所有选项
delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY
now_warn = now.timed(de=delay) + color.red_warn()
if args.socks:
proxy_set(args.socks, "socks") # proxy support socks5 http https
elif args.http:
proxy_set(args.http, "http") # proxy support socks5 http https
if args.list is False: # 判断是否显示漏洞列表
print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities"))
print(vul_list())
if args.thread_num != 10: # 判断是否为默认线程
print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num)))
if args.vul is not None: # 判断是否-v进行漏洞利用
args.mode = "exp" # 若进行漏洞利用修改模式为exp
if args.debug is False: # 判断是否开启--debug功能
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information"))
globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG
#ceye_api() # 测试ceye连接性
if dns_request(): # 初始化dnslog, 并判断是否可用
pass
else:
print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available"))
if args.O_TEXT: # 判断是否text输出
if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists"))
exit(0)
if args.O_JSON: # 判断是否json输出
if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists"))
exit(0)
if args.mode is None or args.mode == "poc": # 判断是否进入poc模式
if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL
args.url = url_check(args.url) # 处理url格式
if survival_check(args.url) == "f": # 检查目标存活状态
print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url))
exit(0) # 单个url时存活失败就退出
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url))
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True
core.control_webapps("url", args.url, args.app, "poc")
else: # 否则扫描单个webapps
core.control_webapps("url", args.url, args.app, "poc")
elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件
if os.path.isfile(args.file): # 判断批量目标文件是否存在
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file))
else: # 没有文件错误并退出
print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file))
exit(0)
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE"
core.control_webapps("file", args.file, args.app, "poc")
else: # 否则批量扫描单个webapps
core.control_webapps("file", args.file, args.app, "poc")
elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning"))
if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email")))
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key")))
fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("fofa", fofa_list, args.app, "poc")
else:
core.control_webapps("fofa", fofa_list, args.app, "poc")
elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning"))
if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key")))
shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("shodan", shodan_list, args.app, "poc")
else:
core.control_webapps("shodan", shodan_list, args.app, "poc")
if args.O_TEXT:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT))
if args.O_JSON:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON))
elif args.mode == "exp": # 漏洞利用模式参数较少
if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式
core.control_webapps("url", args.url, args.vul, "exp")
else:
print(now_warn + color.red(" Options error, -v must specify -u"))
else:
print(now_warn + color.red(" Options error ... ..."))
def dns_request():
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
dnslog = globals.get_value("DNSLOG") # 获取全局变量DNSLOG
#print(dnslog)
def ceye_io():
ceye_host = globals.get_value("ceye_domain")
ceye_token = globals.get_value("ceye_token")
if r"xxxxxx" not in ceye_host:
dns_host = random_md5() + "." + ceye_host
return dns_host
def dnslog_cn():
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
d_p = globals.get_value("DNS_DNSLOG_HOST")
try:
if d_p is None:
dns = requests.get(dnslog_api,
headers=headers_dnslog,
timeout=timeout,
verify=False)
dns_host = random_md5() + "." + dns.text
globals.set_value("DNS_DNSLOG_HOST", dns.text)
return dns_host
else:
dns_host = random_md5() + "." + globals.get_value(
"DNS_DNSLOG_HOST")
return dns_host
except Exception:
return "error"
def hyuga_co():
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_api = "http://api.hyuga.co/v1/users"
hyuga_host = globals.get_value("hyuga_domain")
hyuga_token = globals.get_value("hyuga_token")
try:
if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token
if r"xxxxxx" in hyuga_token:
dns = requests.post(hyuga_api,
headers=headers_hyuga,
timeout=timeout,
verify=False)
hyuga_host = json.loads(dns.text)["data"]["identity"]
dns_host = random_md5() + "." + str(hyuga_host)
hyuga_token = json.loads(dns.text)["data"]["token"]
globals.set_value("hyuga_token", hyuga_token)
globals.set_value("hyuga_domain", hyuga_host)
return dns_host
else:
return "bug"
else:
dns_host = random_md5() + "." + hyuga_host
return dns_host
except Exception as e:
pass
if dnslog == "auto":
if hyuga_co(): # 判断dns平台是否可用时调用一次,仅存活测试
dns_req = hyuga_co()
globals.set_value("AUTO_DNSLOG", "hyuga")
return dns_req
elif dnslog_cn(): # 判断dns平台是否可用时调用一次,仅存活测试
dns_req = dnslog_cn()
globals.set_value("AUTO_DNSLOG", "dnslog")
return dns_req
elif ceye_io():
dns_req = ceye_io()
globals.set_value("AUTO_DNSLOG", "ceye")
return dns_req
else:
print(
now.timed(de=0) + color.red_warn() + color.red(
" The dnslog platform cannot be used, please check the current network"
))
return "no dnslog"
elif r"hyuga" in dnslog:
dns_req = hyuga_co()
#globals.set_value("DNSLOG", "hyuga")
return str(dns_req)
elif r"dnslog" in dnslog:
dns_req = dnslog_cn()
#globals.set_value("DNSLOG", "dnslog")
return dns_req
elif r"ceye" in dnslog:
ceye_host = globals.get_value("ceye_domain")
if r"xxxxxx" in ceye_host:
print(
now.timed(de=0) + color.red_warn() + color.red(
" Ceye.io domain and token are incorrectly configured"))
exit(0)
dns_req = ceye_io()
#globals.set_value("DNSLOG", "ceye")
return dns_req
else:
return "no dnslog"
def config():
header = {
'Accept':
'application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, '
'application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*',
'User-agent':
args.ua,
'Content-Type':
'application/x-www-form-urlencoded'
}
globals.init() # 初始化全局变量模块
globals.set_value("UA", args.ua) # 设置全局变量UA
globals.set_value("VUL", args.vul) # 设置全局变量VULN用于判断是否漏洞利用模式
globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG
globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY
globals.set_value("VULMAP", str(0.6)) # 设置全局变量程序版本号
globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT
globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON
globals.set_value("HEADERS", header) # 设置全局变量HEADERS
globals.set_value("TIMEOUT", args.TIMEOUT) # 设置全局变量超时时间TOMEOUT
globals.set_value("THREADNUM", args.thread_num) # 设置全局变量THREADNUM传递线程数量
# 替换自己的 ceye.io 用户名和 token
globals.set_value("ceye_domain", "6eb4yw.ceye.io")
globals.set_value("ceye_token", "2490ae17e5a04f03def427a596438995")
globals.set_value("ceye_api",
"http://api.ceye.io/v1/records?type=dns&token=")
# fofa 邮箱和 key,需要手动修改为自己的
globals.set_value("fofa_email", "xxxxxxxxxx")
globals.set_value("fofa_key", "xxxxxxxxxx")
# shodan key
globals.set_value("shodan_key", "xxxxxxxxxx")
